// SPDX-License-Identifier: GPL-2.0+
/*
 * Dan Williams <dcbw@redhat.com>
 *
 * Copyright 2011 - 2014 Red Hat, Inc.
 */

#include "nm-default.h"

#include <string.h>

#include <libsecret/secret.h>

#include "applet-agent.h"
#include "utils.h"

#define KEYRING_UUID_TAG "connection-uuid"
#define KEYRING_SN_TAG "setting-name"
#define KEYRING_SK_TAG "setting-key"

static const SecretSchema network_manager_secret_schema = {
	"org.freedesktop.NetworkManager.Connection",
	SECRET_SCHEMA_DONT_MATCH_NAME,
	{
		{ KEYRING_UUID_TAG, SECRET_SCHEMA_ATTRIBUTE_STRING },
		{ KEYRING_SN_TAG, SECRET_SCHEMA_ATTRIBUTE_STRING },
		{ KEYRING_SK_TAG, SECRET_SCHEMA_ATTRIBUTE_STRING },
		{ NULL, 0 },
	}
};

G_DEFINE_TYPE (AppletAgent, applet_agent, NM_TYPE_SECRET_AGENT_OLD);

#define APPLET_AGENT_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), APPLET_TYPE_AGENT, AppletAgentPrivate))

typedef struct {
	GHashTable *requests;
	gboolean vpn_only;

	gboolean disposed;
} AppletAgentPrivate;

enum {
	GET_SECRETS,
	CANCEL_SECRETS,
	LAST_SIGNAL
};
static guint signals[LAST_SIGNAL] = { 0 };


/*******************************************************/

typedef struct {
	guint id;

	NMSecretAgentOld *agent;
	NMConnection *connection;
	char *path;
	char *setting_name;
	char **hints;
	guint32 flags;
	NMSecretAgentOldGetSecretsFunc get_callback;
	NMSecretAgentOldSaveSecretsFunc save_callback;
	NMSecretAgentOldDeleteSecretsFunc delete_callback;
	gpointer callback_data;

	GCancellable *cancellable;
	gint keyring_calls;
} Request;

static Request *
request_new (NMSecretAgentOld *agent,
             NMConnection *connection,
             const char *connection_path,
             const char *setting_name,
             const char **hints,
             guint32 flags,
             NMSecretAgentOldGetSecretsFunc get_callback,
             NMSecretAgentOldSaveSecretsFunc save_callback,
             NMSecretAgentOldDeleteSecretsFunc delete_callback,
             gpointer callback_data)
{
	static guint32 counter = 1;
	Request *r;

	r = g_slice_new0 (Request);
	r->id = counter++;
	r->agent = agent;
	r->connection = g_object_ref (connection);
	r->path = g_strdup (connection_path);
	r->setting_name = g_strdup (setting_name);
	if (hints)
		r->hints = g_strdupv ((gchar **) hints);
	r->flags = flags;
	r->get_callback = get_callback;
	r->save_callback = save_callback;
	r->delete_callback = delete_callback;
	r->callback_data = callback_data;
	r->cancellable = g_cancellable_new ();
	return r;
}

static void
request_free (Request *r)
{
	if (!g_cancellable_is_cancelled (r->cancellable))
		g_hash_table_remove (APPLET_AGENT_GET_PRIVATE (r->agent)->requests, GUINT_TO_POINTER (r->id));

	/* By the time the request is freed, all keyring calls should be completed */
	g_warn_if_fail (r->keyring_calls == 0);

	g_object_unref (r->connection);
	g_free (r->path);
	g_free (r->setting_name);
	g_strfreev (r->hints);
	g_object_unref (r->cancellable);
	memset (r, 0, sizeof (*r));
	g_slice_free (Request, r);
}

/*******************************************************/

static void
get_save_cb (NMSecretAgentOld *agent,
             NMConnection *connection,
             GError *error,
             gpointer user_data)
{
	/* Ignored */
}

static void
get_secrets_cb (AppletAgent *self,
                GVariant *secrets,
                GError *error,
                gpointer user_data)
{
	Request *r = user_data;

	/* 'secrets' shouldn't be valid if there was an error */
	if (error) {
		g_warn_if_fail (secrets == NULL);
		secrets = NULL;
	}

	if (!g_cancellable_is_cancelled (r->cancellable)) {
		/* Save updated secrets as long as user-interaction was allowed; otherwise
		 * we'd be saving secrets we just pulled out of the keyring which is somewhat
		 * redundant.
		 */
		if (secrets && (r->flags != NM_SECRET_AGENT_GET_SECRETS_FLAG_NONE)) {
			NMConnection *dupl;
			GVariantIter iter;
			const char *setting_name;

			/* Copy the existing connection and update its secrets */
			dupl = nm_simple_connection_new_clone (r->connection);
			g_variant_iter_init (&iter, secrets);
			while (g_variant_iter_next (&iter, "{&s@a{sv}}", (gpointer) &setting_name, NULL))
				nm_connection_update_secrets (dupl, setting_name, secrets, NULL);

			/* And save updated secrets to the keyring */
			nm_secret_agent_old_save_secrets (NM_SECRET_AGENT_OLD (self), dupl, get_save_cb, NULL);
			g_object_unref (dupl);
		}

		r->get_callback (NM_SECRET_AGENT_OLD (r->agent), r->connection, secrets, error, r->callback_data);
	}
	request_free (r);
}

static void
ask_for_secrets (Request *r)
{
	/* Ask the applet to get some secrets for us */
	g_signal_emit (r->agent,
	               signals[GET_SECRETS],
	               0,
	               GUINT_TO_POINTER (r->id),
	               r->connection,
	               r->setting_name,
	               r->hints,
	               r->flags,
	               get_secrets_cb,
	               r);
}

static void
check_always_ask_cb (NMSetting *setting,
                     const char *key,
                     const GValue *value,
                     GParamFlags flags,
                     gpointer user_data)
{
	gboolean *always_ask = user_data;
	NMSettingSecretFlags secret_flags = NM_SETTING_SECRET_FLAG_NONE;

	if (flags & NM_SETTING_PARAM_SECRET) {
		if (nm_setting_get_secret_flags (setting, key, &secret_flags, NULL)) {
			if (secret_flags & NM_SETTING_SECRET_FLAG_NOT_SAVED)
				*always_ask = TRUE;
		}
	}
}

static gboolean
has_always_ask (NMSetting *setting)
{
	gboolean always_ask = FALSE;

	nm_setting_enumerate_values (setting, check_always_ask_cb, &always_ask);
	return always_ask;
}

static gboolean
is_connection_always_ask (NMConnection *connection)
{
	NMSettingConnection *s_con;
	const char *ctype;
	NMSetting *setting;

	/* For the given connection type, check if the secrets for that connection
	 * are always-ask or not.
	 */
	s_con = nm_connection_get_setting_connection (connection);
	g_assert (s_con);
	ctype = nm_setting_connection_get_connection_type (s_con);

	setting = nm_connection_get_setting_by_name (connection, ctype);
	g_return_val_if_fail (setting != NULL, FALSE);

	if (has_always_ask (setting))
		return TRUE;

	/* Try type-specific settings too; be a bit paranoid and only consider
	 * secrets from settings relevant to the connection type.
	 */
	if (NM_IS_SETTING_WIRELESS (setting)) {
		setting = nm_connection_get_setting (connection, NM_TYPE_SETTING_WIRELESS_SECURITY);
		if (setting && has_always_ask (setting))
			return TRUE;
		setting = nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X);
		if (setting && has_always_ask (setting))
			return TRUE;
	} else if (NM_IS_SETTING_WIRED (setting)) {
		setting = nm_connection_get_setting (connection, NM_TYPE_SETTING_PPPOE);
		if (setting && has_always_ask (setting))
			return TRUE;
		setting = nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X);
		if (setting && has_always_ask (setting))
			return TRUE;
	}

	return FALSE;
}

static void
keyring_find_secrets_cb (GObject *source,
                         GAsyncResult *result,
                         gpointer user_data)
{
	Request *r = user_data;
	GError *error = NULL;
	GError *search_error = NULL;
	const char *connection_id = NULL;
	GVariantBuilder builder_setting, builder_connection;
	GVariantBuilder *wg_peers_builder = NULL;
	GVariant *settings = NULL;
	GList *list = NULL;
	GList *iter;
	gboolean hint_found = FALSE, ask = FALSE;

	r->keyring_calls--;
	if (g_cancellable_is_cancelled (r->cancellable)) {
		/* Callback already called by NM or dispose */
		request_free (r);
		return;
	}

	list = secret_service_search_finish (NULL, result, &search_error);
	connection_id = nm_connection_get_id (r->connection);

	if (g_error_matches (search_error, G_IO_ERROR, G_IO_ERROR_CANCELLED)) {
		error = g_error_new_literal (NM_SECRET_AGENT_ERROR,
		                             NM_SECRET_AGENT_ERROR_USER_CANCELED,
		                             "The secrets request was canceled by the user");
		g_error_free (search_error);
		goto done;
	} else if (   (r->flags & NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION)
	           && g_error_matches (search_error, G_DBUS_ERROR, G_DBUS_ERROR_SERVICE_UNKNOWN)) {
		/* If the connection always asks for secrets, tolerate
		 * keyring service not being present. */
		g_clear_error (&search_error);
	} else if (search_error) {
		error = g_error_new (NM_SECRET_AGENT_ERROR,
		                     NM_SECRET_AGENT_ERROR_FAILED,
		                     "%s.%d - failed to read secrets from keyring (%s)",
		                     __FILE__, __LINE__, search_error->message);
		g_error_free (search_error);
		goto done;
	}

	/* Only ask if we're allowed to, so that eg a connection editor which
	 * requests secrets for its UI, for a connection which doesn't have any
	 * secrets yet, doesn't trigger the applet secrets dialog.
	 */
	if (   (r->flags & NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION)
	    && g_list_length (list) == 0) {
		g_message ("No keyring secrets found for %s/%s; asking user.", connection_id, r->setting_name);
		ask_for_secrets (r);
		return;
	}

	g_variant_builder_init (&builder_setting, NM_VARIANT_TYPE_SETTING);

	/* Extract the secrets from the list of matching keyring items */
	for (iter = list; iter != NULL; iter = g_list_next (iter)) {
		SecretItem *item = iter->data;
		SecretValue *secret;
		const char *key_name;
		GHashTable *attributes;

		secret = secret_item_get_secret (item);
		if (secret) {
			attributes = secret_item_get_attributes (item);
			key_name = g_hash_table_lookup (attributes, KEYRING_SK_TAG);
			if (!key_name) {
				g_hash_table_unref (attributes);
				secret_value_unref (secret);
				continue;
			}

			if (   nm_streq0 (r->setting_name, NM_SETTING_WIREGUARD_SETTING_NAME)
			    && g_str_has_prefix (key_name, NM_SETTING_WIREGUARD_PEERS ".")
			    && g_str_has_suffix (&key_name[NM_STRLEN(NM_SETTING_WIREGUARD_PEERS ".")],
			                         "." NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY)) {
				GVariantBuilder peer_builder;
				char *public_key = NULL;

				if (!wg_peers_builder)
					wg_peers_builder = g_variant_builder_new (G_VARIANT_TYPE ("aa{sv}"));

				public_key = g_strndup (key_name + NM_STRLEN (NM_SETTING_WIREGUARD_PEERS "."),
				                        strlen (key_name)
				                        - NM_STRLEN (NM_SETTING_WIREGUARD_PEERS ".")
				                        - NM_STRLEN ("." NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY));

				g_variant_builder_init (&peer_builder, G_VARIANT_TYPE ("a{sv}"));
				g_variant_builder_add (&peer_builder, "{sv}",
				                       NM_WIREGUARD_PEER_ATTR_PUBLIC_KEY,
				                       g_variant_new_take_string (public_key));
				g_variant_builder_add (&peer_builder, "{sv}",
				                       NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY,
				                       g_variant_new_string (secret_value_get (secret, NULL)));
				g_variant_builder_add_value (wg_peers_builder, g_variant_builder_end (&peer_builder));

			} else {
				g_variant_builder_add (&builder_setting, "{sv}", key_name,
				                       g_variant_new_string (secret_value_get (secret, NULL)));
			}

			/* See if this property matches a given hint */
			if (r->hints && r->hints[0]) {
				if (!g_strcmp0 (r->hints[0], key_name) || !g_strcmp0 (r->hints[1], key_name))
					hint_found = TRUE;
			}

			g_hash_table_unref (attributes);
			secret_value_unref (secret);
		}
	}

	if (wg_peers_builder) {
		g_variant_builder_add (&builder_setting, "{sv}",
		                       NM_SETTING_WIREGUARD_PEERS,
		                       g_variant_builder_end (wg_peers_builder));
		g_variant_builder_unref (wg_peers_builder);
	}

	/* If there were hints, and none of the hints were returned by the keyring,
	 * get some new secrets.
	 */
	if (r->flags) {
		if (r->hints && r->hints[0] && !hint_found)
			ask = TRUE;
		else if (r->flags & NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW) {
			g_message ("New secrets for %s/%s requested; ask the user", connection_id, r->setting_name);
			ask = TRUE;
		} else if (   (r->flags & NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION)
			       && is_connection_always_ask (r->connection))
			ask = TRUE;
	}

	/* Returned secrets are a{sa{sv}}; this is the outer a{s...} hash that
	 * will contain all the individual settings hashes.
	 */
	g_variant_builder_init (&builder_connection, NM_VARIANT_TYPE_CONNECTION);
	g_variant_builder_add (&builder_connection, "{sa{sv}}", r->setting_name, &builder_setting);
	settings = g_variant_ref_sink (g_variant_builder_end (&builder_connection));

done:
	g_list_free_full (list, g_object_unref);
	if (ask) {
		GVariantIter dict_iter;
		const char *setting_name;
		GVariant *setting_dict;

		/* Stuff all the found secrets into the connection for the UI to use */
		g_variant_iter_init (&dict_iter, settings);
		while (g_variant_iter_next (&dict_iter, "{s@a{sv}}", &setting_name, &setting_dict)) {
			nm_connection_update_secrets (r->connection,
			                              setting_name,
			                              setting_dict,
			                              NULL);
			g_variant_unref (setting_dict);
		}

		ask_for_secrets (r);
	} else {
		/* Otherwise send the secrets back to NetworkManager */
		r->get_callback (NM_SECRET_AGENT_OLD (r->agent), r->connection, error ? NULL : settings, error, r->callback_data);
		request_free (r);
	}

	if (settings)
		g_variant_unref (settings);
	g_clear_error (&error);
}

static void
get_secrets (NMSecretAgentOld *agent,
             NMConnection *connection,
             const char *connection_path,
             const char *setting_name,
             const char **hints,
             guint32 flags,
             NMSecretAgentOldGetSecretsFunc callback,
             gpointer callback_data)
{
	AppletAgentPrivate *priv = APPLET_AGENT_GET_PRIVATE (agent);
	Request *r;
	GError *error = NULL;
	NMSettingConnection *s_con;
	NMSetting *setting;
	const char *uuid, *ctype;
	GHashTable *attrs;

	setting = nm_connection_get_setting_by_name (connection, setting_name);
	if (!setting) {
		error = g_error_new (NM_SECRET_AGENT_ERROR,
		                     NM_SECRET_AGENT_ERROR_INVALID_CONNECTION,
		                     "%s.%d - Connection didn't have requested setting '%s'.",
		                     __FILE__, __LINE__, setting_name);
		callback (agent, connection, NULL, error, callback_data);
		g_error_free (error);
		return;
	}

	uuid = nm_connection_get_uuid (connection);

	s_con = nm_connection_get_setting_connection (connection);
	g_assert (s_con);
	ctype = nm_setting_connection_get_connection_type (s_con);

	if (!uuid || !ctype) {
		error = g_error_new (NM_SECRET_AGENT_ERROR,
		                     NM_SECRET_AGENT_ERROR_INVALID_CONNECTION,
		                     "%s.%d - Connection didn't have required UUID.",
		                     __FILE__, __LINE__);
		callback (agent, connection, NULL, error, callback_data);
		g_error_free (error);
		return;
	}

	/* Track the secrets request */
	r = request_new (agent, connection, connection_path, setting_name, hints, flags, callback, NULL, NULL, callback_data);
	g_hash_table_insert (priv->requests, GUINT_TO_POINTER (r->id), r);

	/* VPN passwords are handled by the VPN plugin's auth dialog */
	if (!strcmp (ctype, NM_SETTING_VPN_SETTING_NAME)) {
		ask_for_secrets (r);
		return;
	}

	/* Only handle non-VPN secrets if we're supposed to */
	if (priv->vpn_only == TRUE) {
		error = g_error_new_literal (NM_SECRET_AGENT_ERROR,
		                             NM_SECRET_AGENT_ERROR_NO_SECRETS,
		                             "Only handling VPN secrets at this time.");
		callback (agent, connection, NULL, error, callback_data);
		g_error_free (error);
		return;
	}

	/* For everything else we scrape the keyring for secrets first, and ask
	 * later if required.
	 */
	attrs = secret_attributes_build (&network_manager_secret_schema,
	                                 KEYRING_UUID_TAG, uuid,
	                                 KEYRING_SN_TAG, setting_name,
	                                 NULL);

	secret_service_search (NULL, &network_manager_secret_schema, attrs,
	                       SECRET_SEARCH_ALL | SECRET_SEARCH_UNLOCK | SECRET_SEARCH_LOAD_SECRETS,
	                       r->cancellable, keyring_find_secrets_cb, r);

	r->keyring_calls++;
	g_hash_table_unref (attrs);
}

/*******************************************************/

static void
cancel_get_secrets (NMSecretAgentOld *agent,
                    const char *connection_path,
                    const char *setting_name)
{
	AppletAgentPrivate *priv = APPLET_AGENT_GET_PRIVATE (agent);
	GHashTableIter iter;
	Request *r;
	GError *error;

	error = g_error_new_literal (NM_SECRET_AGENT_ERROR,
	                             NM_SECRET_AGENT_ERROR_AGENT_CANCELED,
	                             "Canceled by NetworkManager");

	g_hash_table_iter_init (&iter, priv->requests);
	while (g_hash_table_iter_next (&iter, NULL, (gpointer) &r)) {
		/* Only care about GetSecrets requests here */
		if (r->get_callback == NULL)
			continue;

		/* Cancel any matching GetSecrets call */
		if (   g_strcmp0 (r->path, connection_path) == 0
		    && g_strcmp0 (r->setting_name, setting_name) == 0) {
			/* cancel outstanding keyring operations */
			g_cancellable_cancel (r->cancellable);

			r->get_callback (NM_SECRET_AGENT_OLD (r->agent), r->connection, NULL, error, r->callback_data);
			g_hash_table_iter_remove (&iter);
			g_signal_emit (r->agent, signals[CANCEL_SECRETS], 0, GUINT_TO_POINTER (r->id));
		}
	}

	g_error_free (error);
}

/*******************************************************/

static void
save_request_try_complete (Request *r)
{
	/* Only call the SaveSecrets callback and free the request when all the
	 * secrets have been saved to the keyring.
	 */
	if (r->keyring_calls == 0) {
		if (!g_cancellable_is_cancelled (r->cancellable))
			r->save_callback (NM_SECRET_AGENT_OLD (r->agent), r->connection, NULL, r->callback_data);
		request_free (r);
	}
}

static void
save_secret_cb (GObject *source,
                GAsyncResult *result,
                gpointer user_data)
{
	secret_password_store_finish (result, NULL);
	save_request_try_complete (user_data);
}



static GHashTable *
_create_keyring_add_attr_list (NMConnection *connection,
                               const char *setting_name,
                               const char *setting_key,
                               char **out_display_name)
{
	const char *connection_id, *connection_uuid;

	g_return_val_if_fail (connection != NULL, NULL);
	g_return_val_if_fail (setting_name != NULL, NULL);
	g_return_val_if_fail (setting_key != NULL, NULL);

	connection_uuid = nm_connection_get_uuid (connection);
	g_assert (connection_uuid);
	connection_id = nm_connection_get_id (connection);
	g_assert (connection_id);

	if (out_display_name) {
		*out_display_name = g_strdup_printf ("Network secret for %s/%s/%s",
		                                     connection_id,
		                                     setting_name,
		                                     setting_key);
	}

	return secret_attributes_build (&network_manager_secret_schema,
	                                KEYRING_UUID_TAG, connection_uuid,
	                                KEYRING_SN_TAG, setting_name,
	                                KEYRING_SK_TAG, setting_key,
	                                NULL);
}

static void
save_one_secret (Request *r,
                 NMSetting *setting,
                 const char *key,
                 const char *secret,
                 const char *display_name)
{
	GHashTable *attrs;
	char *alt_display_name = NULL;
	const char *setting_name;
	NMSettingSecretFlags secret_flags = NM_SETTING_SECRET_FLAG_NONE;

	/* Don't system-owned or always-ask secrets */
	if (!nm_setting_get_secret_flags (setting, key, &secret_flags, NULL))
		return;
	if (secret_flags != NM_SETTING_SECRET_FLAG_AGENT_OWNED)
		return;

	setting_name = nm_setting_get_name (setting);
	g_assert (setting_name);

	attrs = _create_keyring_add_attr_list (r->connection,
	                                       setting_name,
	                                       key,
	                                       display_name ? NULL : &alt_display_name);
	g_assert (attrs);

	secret_password_storev (&network_manager_secret_schema, attrs, NULL,
	                        display_name ? display_name : alt_display_name, secret,
	                        r->cancellable, save_secret_cb, r);
	r->keyring_calls++;

	g_hash_table_unref (attrs);
	g_free (alt_display_name);
}

static void
vpn_secret_iter_cb (const char *key, const char *secret, gpointer user_data)
{
	Request *r = user_data;
	NMSetting *setting;
	const char *service_name, *id;
	char *display_name;

	if (secret && strlen (secret)) {
		setting = nm_connection_get_setting (r->connection, NM_TYPE_SETTING_VPN);
		g_assert (setting);
		service_name = nm_setting_vpn_get_service_type (NM_SETTING_VPN (setting));
		g_assert (service_name);
		id = nm_connection_get_id (r->connection);
		g_assert (id);

		display_name = g_strdup_printf ("VPN %s secret for %s/%s/" NM_SETTING_VPN_SETTING_NAME,
		                                key,
		                                id,
		                                service_name);
		save_one_secret (r, setting, key, secret, display_name);
		g_free (display_name);
	}
}

static void
write_one_secret_to_keyring (NMSetting *setting,
                             const char *key,
                             const GValue *value,
                             GParamFlags flags,
                             gpointer user_data)
{
	Request *r = user_data;
	GType type = G_VALUE_TYPE (value);
	const char *secret;

	if (NM_IS_SETTING_WIREGUARD (setting) && nm_streq0 (key, NM_SETTING_WIREGUARD_PEERS)) {
		NMSettingWireGuard *s_wg = NM_SETTING_WIREGUARD (setting);
		NMWireGuardPeer *peer;
		char *peer_key;
		guint i, len;

		len = nm_setting_wireguard_get_peers_len (s_wg);
		for (i = 0; i < len; i++) {
			peer = nm_setting_wireguard_get_peer (s_wg, i);
			secret = nm_wireguard_peer_get_preshared_key (peer);
			if (secret && secret[0]) {
				peer_key = g_strdup_printf (NM_SETTING_WIREGUARD_PEERS ".%s." NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY,
				                            nm_wireguard_peer_get_public_key (peer));
				save_one_secret (r, setting, peer_key, secret, NULL);
				g_free (peer_key);
			}
		}
		return;
	}

	/* Non-secrets obviously don't get saved in the keyring */
	if (!(flags & NM_SETTING_PARAM_SECRET))
		return;

	if (NM_IS_SETTING_VPN (setting) && (g_strcmp0 (key, NM_SETTING_VPN_SECRETS) == 0)) {
		g_return_if_fail (type == G_TYPE_HASH_TABLE);

		/* Process VPN secrets specially since it's a hash of secrets, not just one */
		nm_setting_vpn_foreach_secret (NM_SETTING_VPN (setting), vpn_secret_iter_cb, r);
	} else {
		/* FIXME: password-raw is not string */
		if (!g_strcmp0 (key, NM_SETTING_802_1X_PASSWORD_RAW))
			return;
		g_return_if_fail (type == G_TYPE_STRING);
		secret = g_value_get_string (value);
		if (secret && strlen (secret))
			save_one_secret (r, setting, key, secret, NULL);
	}
}

static void
save_delete_cb (NMSecretAgentOld *agent,
                NMConnection *connection,
                GError *error,
                gpointer user_data)
{
	Request *r = user_data;

	/* Ignore errors; now save all new secrets */
	nm_connection_for_each_setting_value (connection, write_one_secret_to_keyring, r);

	/* If no secrets actually got saved there may be nothing to do so
	 * try to complete the request here.  If there were secrets to save the
	 * request will get completed when those keyring calls return.
	 */
	save_request_try_complete (r);
}

static void
save_secrets (NMSecretAgentOld *agent,
              NMConnection *connection,
              const char *connection_path,
              NMSecretAgentOldSaveSecretsFunc callback,
              gpointer callback_data)
{
	AppletAgentPrivate *priv = APPLET_AGENT_GET_PRIVATE (agent);
	Request *r;

	r = request_new (agent, connection, connection_path, NULL, NULL, FALSE, NULL, callback, NULL, callback_data);
	g_hash_table_insert (priv->requests, GUINT_TO_POINTER (r->id), r);

	/* First delete any existing items in the keyring */
	nm_secret_agent_old_delete_secrets (agent, connection, save_delete_cb, r);
}

/*******************************************************/

static void
delete_find_items_cb (GObject *source,
                      GAsyncResult *result,
                      gpointer user_data)
{
	Request *r = user_data;
	GError *secret_error = NULL;
	GError *error = NULL;

	r->keyring_calls--;
	if (g_cancellable_is_cancelled (r->cancellable)) {
		/* Callback already called by NM or dispose */
		request_free (r);
		return;
	}

	secret_password_clear_finish (result, &secret_error);
	if (secret_error != NULL) {
		error = g_error_new (NM_SECRET_AGENT_ERROR,
		                     NM_SECRET_AGENT_ERROR_FAILED,
		                     "The request could not be completed (%s)",
		                     secret_error->message);
		g_error_free (secret_error);
	}

	r->delete_callback (r->agent, r->connection, error, r->callback_data);
	request_free (r);
}

static void
delete_secrets (NMSecretAgentOld *agent,
                NMConnection *connection,
                const char *connection_path,
                NMSecretAgentOldDeleteSecretsFunc callback,
                gpointer callback_data)
{
	AppletAgentPrivate *priv = APPLET_AGENT_GET_PRIVATE (agent);
	Request *r;
	NMSettingConnection *s_con;
	const char *uuid;

	r = request_new (agent, connection, connection_path, NULL, NULL, FALSE, NULL, NULL, callback, callback_data);
	g_hash_table_insert (priv->requests, GUINT_TO_POINTER (r->id), r);

	s_con = nm_connection_get_setting_connection (connection);
	g_assert (s_con);
	uuid = nm_setting_connection_get_uuid (s_con);
	g_assert (uuid);

	secret_password_clear (&network_manager_secret_schema, r->cancellable,
	                       delete_find_items_cb, r,
	                       KEYRING_UUID_TAG, uuid,
	                       NULL);
	r->keyring_calls++;
}

void
applet_agent_handle_vpn_only (AppletAgent *agent, gboolean vpn_only)
{
	g_return_if_fail (agent != NULL);
	g_return_if_fail (APPLET_IS_AGENT (agent));

	APPLET_AGENT_GET_PRIVATE (agent)->vpn_only = vpn_only;
}

/*******************************************************/

AppletAgent *
applet_agent_new (GError **error)
{
	AppletAgent *agent;

	agent = g_object_new (APPLET_TYPE_AGENT,
	                      NM_SECRET_AGENT_OLD_IDENTIFIER, "org.freedesktop.nm-applet",
	                      NM_SECRET_AGENT_OLD_CAPABILITIES, NM_SECRET_AGENT_CAPABILITY_VPN_HINTS,
	                      NULL);
	if (!g_initable_init (G_INITABLE (agent), NULL, error)) {
		g_object_unref (agent);
		return NULL;
	}

	return agent;
}

static void
applet_agent_init (AppletAgent *self)
{
	AppletAgentPrivate *priv = APPLET_AGENT_GET_PRIVATE (self);

	priv->requests = g_hash_table_new (g_direct_hash, g_direct_equal);
}

static void
dispose (GObject *object)
{
	AppletAgent *self = APPLET_AGENT (object);
	AppletAgentPrivate *priv = APPLET_AGENT_GET_PRIVATE (self);

	if (!priv->disposed) {
		GHashTableIter iter;
		Request *r;

		/* Mark any outstanding requests as canceled */
		g_hash_table_iter_init (&iter, priv->requests);
		while (g_hash_table_iter_next (&iter, NULL, (gpointer) &r))
			g_cancellable_cancel (r->cancellable);

		g_hash_table_destroy (priv->requests);
		priv->disposed = TRUE;
	}

	G_OBJECT_CLASS (applet_agent_parent_class)->dispose (object);
}

static void
applet_agent_class_init (AppletAgentClass *agent_class)
{
	GObjectClass *object_class = G_OBJECT_CLASS (agent_class);
	NMSecretAgentOldClass *parent_class = NM_SECRET_AGENT_OLD_CLASS (agent_class);

	g_type_class_add_private (agent_class, sizeof (AppletAgentPrivate));

	/* virtual methods */
	object_class->dispose = dispose;
	parent_class->get_secrets = get_secrets;
	parent_class->cancel_get_secrets = cancel_get_secrets;
	parent_class->save_secrets = save_secrets;
	parent_class->delete_secrets = delete_secrets;

	/* Signals */
	signals[GET_SECRETS] =
		g_signal_new (APPLET_AGENT_GET_SECRETS,
		              G_OBJECT_CLASS_TYPE (object_class),
		              G_SIGNAL_RUN_FIRST,
		              G_STRUCT_OFFSET (AppletAgentClass, get_secrets),
		              NULL, NULL, NULL,
		              G_TYPE_NONE, 7,
		              G_TYPE_POINTER, G_TYPE_POINTER, G_TYPE_STRING, G_TYPE_POINTER, G_TYPE_UINT, G_TYPE_POINTER, G_TYPE_POINTER);

	signals[CANCEL_SECRETS] =
		g_signal_new (APPLET_AGENT_CANCEL_SECRETS,
		              G_OBJECT_CLASS_TYPE (object_class),
		              G_SIGNAL_RUN_FIRST,
		              G_STRUCT_OFFSET (AppletAgentClass, cancel_secrets),
		              NULL, NULL, NULL,
		              G_TYPE_NONE, 1, G_TYPE_POINTER);
}

